Re: snort suddenly stopped to record events

["Alex" <linux () vfemail net>]

Hi Waldo,

Just I've commented out the following line in snort.conf:
preprocessor sfportscan: proto  { all } memcap { 10000000 } sense_level { 
low }
and restarted snort.

After that, I've used nmap scan (the same like last time, to find open ports 
on target, UDP and TCP)

In logs: appeared: TCP Portscan ... UDP Portscan

Jul 29 14:43:12 ids snort[11851]:     Detect Scan Type:  portscan portsweep 
decoy_portscan distributed_portscan

Jul 29 14:45:48 ids snort[11631]: [122:1:1] portscan: TCP Portscan 
[Classification: Attempted Information Leak] [Priority: 2]: <eth1> 
{PROTO:255} 192.168.48.1 -> 192.168.48.200
Jul 29 14:45:59 ids snort[11631]: [122:17:1] portscan: UDP Portscan 
[Classification: Attempted Information Leak] [Priority: 2]: <eth1> 
{PROTO:255} 192.168.48.1 -> 192.168.48.200

Jul 29 14:47:07 ids snort[11631]: [122:19:1] portscan: UDP Portsweep 
[Classification: Attempted Information Leak] [Priority: 2]: <eth1> 
{PROTO:255} 192.168.48.30 -> 192.168.22.9
[root@ids ~]#

So, now I'm happy, snort is working :-)

Thank you very much Waldo for your help.

Regards,
Alx
----- Original Message ----- 
From: "waldo kitty" <wkitty42 () windstream net>
To: <snort-users () lists sourceforge net>
Sent: Friday, July 26, 2013 9:48 PM
Subject: Re: [Snort-users] snort suddenly stopped to record events


> On 7/26/2013 10:18, Alex wrote:
> > So, what should be commented out in snort.conf or what rules should be
> > activated in order to make snort able to detect and identify such network
> > scan?
>
> check nmap for what those options generate as packets... then you'll have 
> to
> find or write rules to detect those packets... they may exist already and 
> be
> disabled... i don't know... i had to specifically disable some ICMP rules 
> in my
> locations to turn off alerts from them but i think they were from a 
> different
> supplier... you might also want to use the community rules if you are not
> already... they might have related scan type rules...
>
> -- 
> NOTE: No off-list assistance is given without prior approval.
>       Please keep mailing list traffic on the list unless
>       private contact is specifically requested and granted.
>
> ------------------------------------------------------------------------------
> See everything from the browser to the database with AppDynamics
> Get end-to-end visibility with application monitoring from AppDynamics
> Isolate bottlenecks and diagnose root cause in seconds.
> Start your free trial of AppDynamics Pro today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort 
> news!


-------------------------------------------------

VFEmail.net - http://www.vfemail.net
$14.95 ONETIME Lifetime accounts with Privacy Features!  
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!  

------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!